diff --git a/backend/internal/controller/user_controller.go b/backend/internal/controller/user_controller.go index 38241975..1a39acd2 100644 --- a/backend/internal/controller/user_controller.go +++ b/backend/internal/controller/user_controller.go @@ -508,8 +508,15 @@ func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context // @Success 200 {object} dto.UserDto // @Router /api/one-time-access-token/{token} [post] func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) { + loginCode := c.Param("token") + // reject invalid length login codes + if len(loginCode) != 6 && len(loginCode) != 16 { + _ = c.Error(&common.TokenInvalidOrExpiredError{}) + return + } + deviceToken, _ := c.Cookie(cookie.DeviceTokenCookieName) - user, token, err := uc.oneTimeAccessService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), deviceToken, c.ClientIP(), c.Request.UserAgent()) + user, token, err := uc.oneTimeAccessService.ExchangeOneTimeAccessToken(c.Request.Context(), loginCode, deviceToken, c.ClientIP(), c.Request.UserAgent()) if err != nil { _ = c.Error(err) return diff --git a/frontend/src/routes/login/alternative/code/+page.svelte b/frontend/src/routes/login/alternative/code/+page.svelte index 8535cd37..c7c4b40e 100644 --- a/frontend/src/routes/login/alternative/code/+page.svelte +++ b/frontend/src/routes/login/alternative/code/+page.svelte @@ -27,6 +27,7 @@ }); async function authenticate() { + if (!code?.trim()) return; isLoading = true; try { const user = await userService.exchangeOneTimeAccessToken(code);